Hi Dave, Thanks. I don't see any issues with it loading the daily.cld. I'm going to wipe it out and let Freshclam reload it and the ign.
-J On Tue, May 17, 2016 at 2:02 PM, David Raynor <dray...@sourcefire.com> wrote: > If you run clamscan with "--debug" it will tell you which files it is > loading, even the files inside a cvd or cld file. It will also remark about > which signatures is skips when loading. > > You should see these lines within your debug output: > > ... > LibClamAV debug: daily.ign2 loaded > ... > LibClamAV debug: /var/lib/clamav/daily.cld loaded > ... > LibClamAV debug: Ignoring signature Win.Trojan.Trojan-605 > ... > LibClamAV debug: main.ndb loaded > ... > > Which of these rows you see is going to be affected by the contents of your > database, but this is what I see with an up-to-date daily and main.cvd. The > signature is in the latest main. The ignore is set in the latest daily > (21562) and has been for weeks. Once you get to a fresh enough daily it > will have the ignore set. If there is something else going on that is > preventing clamscan from loading that daily.cld (e.g. file permissions, > path difference) that would be the culprit. > > Hope this helps, > > Dave R. > > > On Tue, May 17, 2016 at 4:33 PM, Jason J. W. Williams < > jasonjwwilli...@gmail.com> wrote: > > > Yessir: > > > > # sigtool -u /var/lib/clamav/daily.cld > > > > # grep -i 'Win.Trojan.Trojan-605' daily.ign > > main:42:Win.Trojan.Trojan-605 > > > > On Tue, May 17, 2016 at 1:25 PM, Alain Zidouemba < > > azidoue...@sourcefire.com> > > wrote: > > > > > $ sigtool -u /usr/local/share/clamav/daily.cld > > > > > > $ grep -i 'Win.Trojan.Trojan-605' daily.ign > > > main:42:Win.Trojan.Trojan-605 > > > > > > > > > Same on your end? > > > > > > - Alain > > > > > > On Tue, May 17, 2016 at 4:22 PM, Jason J. W. Williams < > > > jasonjwwilli...@gmail.com> wrote: > > > > > > > We do. > > > > > > > > -J > > > > > > > > On Tue, May 17, 2016 at 1:13 PM, Alain Zidouemba < > > > > azidoue...@sourcefire.com> > > > > wrote: > > > > > > > > > Jason: > > > > > > > > > > Do you have all both main.cvd and daily.cvd? Win.Trojan.Trojan-605 > > was > > > > > dropped several weeks ago, but would only be reflected in your > > > > installation > > > > > if you have both main.cvd and daily.cvd. Please confirm. > > > > > > > > > > Thanks, > > > > > > > > > > - Alain > > > > > > > > > > > > > > > > > > > > On Tue, May 17, 2016 at 4:11 PM, Jason J. W. Williams < > > > > > jasonjwwilli...@gmail.com> wrote: > > > > > > > > > > > No ClamAV 0.98.7. > > > > > > > > > > > > -J > > > > > > > > > > > > On Mon, May 16, 2016 at 11:25 PM, Al Varnell <alvarn...@mac.com> > > > > wrote: > > > > > > > > > > > > > I’m unable to replicate your findings: > > > > > > > > > > > > > > ~/Downloads/2016-05-16/eicar.txt: Eicar-Test-Signature FOUND > > > > > > > > > > > > > > Taking a look at the current daily.cld I see entries in both > > ignore > > > > > > > sections: > > > > > > > > > > > > > > daily.ign > > > > > > > 1374 > > > > > > > 002516 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > fake:1:Dont_remove_this_line > > > > > > > ... > > > > > > > main:42:Win.Trojan.Trojan-605 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > daily.ign2 > > > > > > > > > > > > > > 1072 002573 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > fake_dont_remove_this_line > > > > > > > ... > > > > > > > Win.Trojan.Trojan-605 > > > > > > > > > > > > > > I wonder if it’s engine specific? Are you using 0.99.x > > > > > > > > > > > > > > -Al- > > > > > > > > > > > > > > On Mon, May 16, 2016 at 01:45 PM, Jason J. W. Williams wrote: > > > > > > > > > > > > > > > > Looks like EICAR is getting classified as > Win.Trojan.Trojan-605 > > > > again > > > > > > > > (daily 21557). > > > > > > > > > > > > > > > > https://gist.github.com/williamsjj/b8104402e80f44475df5 > > > > > > > > > > > > > > > > -J > > > > > > > > > > > > > > > > On Wed, Mar 16, 2016 at 8:54 PM, Al Varnell < > alvarn...@mac.com > > > > > > > > wrote: > > > > > > > > > > > > > > > >> The new database was just made available, so I recommend you > > > hold > > > > > off > > > > > > > >> until you have the new mail.cvd v57 and daily.cvd v21466 > > before > > > > > > getting > > > > > > > too > > > > > > > >> excited about this. > > > > > > > >> > > > > > > > >> -Al- > > > > > > > >> > > > > > > > >> On Wed, Mar 16, 2016 at 08:49 PM, Jason J. W. Williams > wrote: > > > > > > > >>> > > > > > > > >>> As of the latest daily update, running ClamAV against the > > EICAR > > > > > test > > > > > > > >>> string > > > > > > > >>> reports Win.Trojan.Trojan-605 instead of > > Eicar-Test-Signature. > > > > > > > >>> > > > > > > > >>> -J > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Help us build a comprehensive ClamAV guide: > > > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > > > > > _______________________________________________ > > > > > > Help us build a comprehensive ClamAV guide: > > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > > > _______________________________________________ > > > > > Help us build a comprehensive ClamAV guide: > > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > > > _______________________________________________ > > > > Help us build a comprehensive ClamAV guide: > > > > https://github.com/vrtadmin/clamav-faq > > > > > > > > http://www.clamav.net/contact.html#ml > > > > > > > _______________________________________________ > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > > > > -- > --- > Dave Raynor > Talos Security Intelligence and Research Group > dray...@sourcefire.com > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
